SSCP Incident Response and Recovery Questions and Answers

Question 1

An incident response analyst has confirmed that a workstation is infected with malware and is actively communicating with an external command-and-control server.
According to the NIST incident response lifecycle, which of the following is the MOST appropriate immediate action?

Accepted Answer

Disconnect the workstation from the network.

Answer

Perform a full forensic image of the workstation's hard drive.

Answer

Reimage the workstation from a known good backup.

Answer

Analyze the malware to determine its full capabilities.

Question 2

Which of the following BEST describes the primary goal of a Business Continuity Plan (BCP)?

Accepted Answer

To maintain critical business functions during and after a significant disruption.

Answer

To restore IT systems and data at an alternate location after a catastrophe.

Answer

To perform a root cause analysis of a disruptive event to prevent recurrence.

Answer

To prosecute individuals responsible for causing a business disruption.

Question 3

An organization has successfully contained and eradicated a security threat. During which phase of the incident response lifecycle would the team formally document their findings and recommend improvements to security controls and procedures?

Accepted Answer

Post-Incident Activity

Answer

Detection and Analysis

Answer

Preparation

Answer

Containment, Eradication, & Recovery

Question 4

A financial services company has a regulatory requirement to resume critical operations within one hour of a disaster declaration. The company needs a recovery site that is fully configured with all necessary hardware, software, and real-time synchronized data. Which type of disaster recovery site would BEST meet this requirement?

Accepted Answer

Hot Site

Answer

Warm Site

Answer

Cold Site

Answer

Mobile Site

Question 5

During the Detection and Analysis phase of an incident response, a SOC analyst notices anomalous traffic patterns from a server. What is a critical next step within this specific phase?

Accepted Answer

Validating the incident by correlating logs from firewalls, IDS, and server event logs.

Answer

Patching the server to remove potential vulnerabilities.

Answer

Implementing new firewall rules to block the anomalous traffic.

Answer

Restoring the server from a known-good backup.

Question 6

After containing a malware outbreak and removing the malicious files from all affected systems, the incident response team identifies that the malware exploited an unpatched vulnerability in a web application. What is the most critical activity to perform during the Eradication and Recovery phase to prevent immediate reinfection?

Accepted Answer

Apply the necessary security patch to fix the web application vulnerability.

Answer

Conduct a lessons learned meeting with all stakeholders.

Answer

Restore all user data from backups made prior to the incident.

Answer

Perform a new vulnerability scan across the entire network.